I am getting the warning message after upgrading the exchange 2010 to exchange 2013 as follows:
WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.
Solution:
Get-AdPermission "dc=example,dc=edu"
After executing the Above command it will display the ACL entries for that object and also it will display the corrupted objectType. The sample output is given below:
example.edu Everyone True False
example.edu Everyone False False
example.edu NT AUTHORITY\ENTE... False False
example.edu NT AUTHORITY\Auth... False False
example.edu NT AUTHORITY\SYSTEM False False
example.edu BUILTIN\Administr... False False
example.edu S-1-5-32-554 False False
example.edu S-1-5-32-554 False False
WARNING: The object example.edu has been corrupted, and it's in an inconsistent state. The following validation happened:
WARNING: The access control entry defines the ObjectType 'acd46e6d7-8d45-4516-a4b3-61c0e509b5be' that can't be resolved..
"ActiveDirectoryRights","InheritanceType","ObjectType","InheritedObjectType","ObjectFlags","AccessControlType","IdentityReference","IsInherited","InheritanceFlags","PropagationFlags"
"ExtendedRight","All","acd46e6d7-8d45-4516-a4b3-61c0e509b5be","00000000-0000-0000-0000-000000000000","ObjectAceTypePresent","Allow","example\testGroup","False","ContainerInherit","None"
Identity User ExtendedRights AccessRights
-------- ---- -------------- ------------
example.edu example\testGroup {Change Password} {ExtendedRight}
example.edu example\testGroup {ExtendedRight}
I have highlighted the corrupted ACL entry in the example.edu container.
Right Click on example.ed domain --> Properties --> Security --> Advanced --> Select the Corrupted ACL Entry --> Remove
The issue will be resolved after removing the corrupted acl entry.
WARNING: The access control entry defines the ObjectType 'GUID' that can't be resolved.
Solution:
1. Finding the Corrupted ObjectType in the Exchange 2013.
Get-AdPermission "dc=example,dc=edu"
After executing the Above command it will display the ACL entries for that object and also it will display the corrupted objectType. The sample output is given below:
example.edu Everyone True False
example.edu Everyone False False
example.edu NT AUTHORITY\ENTE... False False
example.edu NT AUTHORITY\Auth... False False
example.edu NT AUTHORITY\SYSTEM False False
example.edu BUILTIN\Administr... False False
example.edu S-1-5-32-554 False False
example.edu S-1-5-32-554 False False
WARNING: The object example.edu has been corrupted, and it's in an inconsistent state. The following validation happened:
WARNING: The access control entry defines the ObjectType 'acd46e6d7-8d45-4516-a4b3-61c0e509b5be' that can't be resolved..
2. Finding the Corrupted ACL Entry
Get-ACl "AD:\Dc=example,dc=edu" | Select Access -ExpandProperty Access | Where-Object {$_.ObjectType -eq "'acd46e6d7-8d45-4516-a4b3-61c0e509b5be"} | Export-csv "acl.csv""ActiveDirectoryRights","InheritanceType","ObjectType","InheritedObjectType","ObjectFlags","AccessControlType","IdentityReference","IsInherited","InheritanceFlags","PropagationFlags"
"ExtendedRight","All","acd46e6d7-8d45-4516-a4b3-61c0e509b5be","00000000-0000-0000-0000-000000000000","ObjectAceTypePresent","Allow","example\testGroup","False","ContainerInherit","None"
3. Finding the Corresponding Corrupted Permissions
Get-ADPermission "dc=example,dc=edu" | Where-Object {$_.User -like "*testGroup"} ft identity,user,extendedrights,accessrightsIdentity User ExtendedRights AccessRights
-------- ---- -------------- ------------
example.edu example\testGroup {Change Password} {ExtendedRight}
example.edu example\testGroup {ExtendedRight}
I have highlighted the corrupted ACL entry in the example.edu container.
4. Removing the Corrupted ACL entry in ADUC User Interface.
Login as as a domain admin and remove the acl entry as follows:Right Click on example.ed domain --> Properties --> Security --> Advanced --> Select the Corrupted ACL Entry --> Remove
The issue will be resolved after removing the corrupted acl entry.
Great how-to. After working through the commands it turns out to be "Self" and "Creator Owner". What could that mean?
ReplyDeleteYes, mine was self as well. Don't know what to do!
ReplyDeleteWhen "Creator Owner" and or "self" give this error of course do not delete these. Check Active Directory and see if everything is allright. First fix AD if neccecary and then do an iisreset. I had this problem when i had extended the AD schema from 2012 R2 to 2016. iisreset fixed it.
ReplyDeleteGreat !! We had the same issue after performing AD Schema 2016 update.
DeleteOnce after we performed the IIS Reset in all Exchange 2016 Server, the issue was resolved. Thank you :)
Well done Bart - this worked for us too, great shout on the schema extension as cause and a simple fix.
DeleteWell done. Hard to find good quality responses these days.
DeleteIn part 3, How do you tell which record is the corrupted one ?
ReplyDeleteIt is important to note that steps 1 and 3, you must run from the Exchange Management Shell; And in step 2 you must import the AD module ("import-module activedirectory") or you will receive a drive letter error.
ReplyDeleteThis article does a fantastic job explaining the issue of unresolved ObjectType 'GUID' in access control entries! Understanding how to troubleshoot this warning is essential for maintaining secure permissions. For gamers, managing your game library with subtitleedit can keep your focus sharp while you work through these technical challenges!
ReplyDelete